Last active
August 29, 2015 14:02
-
-
Save lidio601/5f61402bd1ab8fad121e to your computer and use it in GitHub Desktop.
Openssl Apache Self Signed SSL Certificate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SERVER="webserver.dns.domain.name" | |
# setup the working directory | |
mkdir -vp ./public | |
mkdir -vp ./private | |
# ######### | |
# custom CA | |
# ######### | |
# generate the custom CA private key | |
openssl genrsa -des3 -out private/cacert.key 1024 | |
# generate the custom CA certificate request | |
openssl req -new -key private/cacert.key -out private/cacert.csr | |
# generate the custom CA certificate | |
# "-config ./openssl.cnf" optional | |
openssl x509 -extensions v3_ca -days 3650 -signkey private/cacert.key -in private/cacert.csr -req -out public/cacert.crt | |
# ########## | |
# SSL server | |
# ########## | |
# create the CSR and the private key for the SSL server (maybe the Apache web server?) | |
# "-config ./openssl.cnf" optional | |
openssl req -x509 -days 3650 -new -nodes -keyout private/$SERVER.key -out public/$SERVER.csr | |
# custom CA certificate sign | |
# "-config ./openssl.cnf" optional | |
openssl x509 -days 3650 -CA public/cacert.crt -CAkey private/cacert.key -set_serial 01 -in private/$SERVER.csr -req -out public/$SERVER.crt | |
#openssl ca -policy policy_anything -CAfile private/cacert.crt -out private/$SERVER.crt -infiles private/$SERVER.csr -days 365 | |
#openssl ca -policy policy_anything -out newcert.pem -infiles newreq.pem | |
# ########### | |
# maintenance | |
# ########### | |
# fix the private key file permission | |
chown -Rfv root:root private | |
chmod -Rfv 0400 private | |
chown -Rfv root:apache private/$SERVER.key | |
chmod -Rfv 0440 private/$SERVER.key | |
chown -Rfv root:apache public | |
chmod -Rfv 0644 public | |
# see http://alessice.wordpress.com/2008/10/28/come-si-genera-un-csr-certificate-signing-request/ | |
# see http://www.g-loaded.eu/2005/11/10/be-your-own-ca/ | |
# see http://forum.synology.com/wiki/index.php/How_to_generate_custom_SSL_certificates | |
# ################## | |
# certificate verify | |
# ################## | |
openssl x509 -in public/$SERVER.crt -noout -text | |
openssl x509 -subject -issuer -enddate -noout -in public/$SERVER.crt | |
openssl verify -purpose sslserver -CAfile public/cacert.crt public/$SERVER.crt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment